[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] 0042 Upgrade: add scriptlet to add profile schema

On 6/18/2015 4:31 AM, Fraser Tweedale wrote:
Attached patch adds upgrade scriptlet to add the certprofile schema.
This must be in the next build.

Side note: future cleanup should probably now remove the profiles
attributeTypes and objectClass from the main schema.ldif, and the
install script updated to import all the various schema files.  This
should make schema updates easier to do, and hard to forget! in the


One issue, all upgrade scripts must be idempotent, so the script should either check before modifying each item, or ignore failures of each modification (I think ldapmodify has a -c option). This is necessary because the script may need to run again, and also it's needed by replica to avoid conflicts with changes coming from master.

There are several restrictions imposed by the simultaneous database & package upgrade which should be document somewhere, and this applies to both standalone Dogtag and IPA:

1. The all DS replicas must be running when the package is installed, otherwise the upgrade will fail.

2. The upgrade must be done one server at a time, and the changes must be completely replicated before upgrading another replica, otherwise the changes might collide.

3. The changes must be backward compatible, otherwise replicas that have not been upgraded yet may have a problem.

4. Changes to the database/configuration in all replicas should be limited or prevented until all replicas are upgraded, otherwise it may cause inconsistencies.

5. If nuxwdog is enabled, the password.conf may not exist. The password.conf must be restored at least temporarily, otherwise the upgrade will fail.

6. Upgrade failures may not be known immediately unless the admin checks the upgrade log, or discovers that some functionalities are not working.

7. It's not possible to dry-run database upgrade. Depending on the changes, it may not be possible to revert database changes. The admin should be advised to create a backup before upgrade.

8. The admin should be careful with yum/dnf updates since it could trigger unplanned upgrade.

If the one issue above is fixed, and these restrictions are acceptable, it's ACKed.

In the next update I suggest we move all schema files into /usr/share/pki/server/schema.

Just a note, with a post-install database upgrade these restrictions may not exist or can be handled in a better way. If possible we might want to support both mechanisms: simultaneous upgrade for IPA or for certain scenarios, and post-install upgrade for Dogtag in general.

Endi S. Dewata

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]